WHAT YOU NEED TO KNOW

Retirement Plan Cybersecurity Risks:

Dai

sa R

ive

ra • joined Popular Fiduciary Services in 2012 and is responsible for providing advice on the legal matters as they apply to the division's fiduciary responsibilities, products and services. While working at Popular, Daisa successfully completed a master’s degree in Public Administration and achieved a certification as a Retirement Services Professional. Before joining Popular, Daisa worked at the House of Representatives where she served as legal advisor.

Ch

rist

ian

Ro

chet

• is Vice President to Rochet Business Technologies, a local firm which offers information security advisory services and assistance in information technology and cybersecurity for small and medium businesses. He is a certified IT Security Manager and member of the Information Systems Audit and Control Association (ISACA).

Jeff

Fo

ltz • Is Popular’s CISO and a Senior

Executive with over 25 years leading IT & Cybersecurity initiatives for major financial institutions. His prior work includes Fortune 500 companies and global financial institutions during his career such as, Fidelity National Financial & Deutsche Bank where he served as the CISO, Global Red team and Vulnerability program management. He leads top-level cybersecurity governance strategy, integrating governance into overall business strategy, and advises Board of Directors on cyber risks and security standards for all platforms. He specializes in threat intelligence, risk identification & mitigation, business continuity, & vendor risk management.

Meet the Team

Cybersecurity is a Fiduciary Duty

In 2016 the ERISA Advisory Council issued the Cybersecurity Considerations for Benefit Plans

Plan fiduciary must develop policies and procedures

Prudently select and monitor service providers

Continue to educate fiduciaries

Consider acquiring cyber-liability insurance

Act wisely in responding to a breach

Cybersecurity is a Fiduciary Duty

There’s no comprehensive federal law

governing cybersecurity for retirement

plans

ERISA is silent on how to manage

cybersecurity risks

ERISA fiduciaries are held to a very high

standard of behavior

Undivided loyalty

Prudence

Cyber Threat Landscape 2020

Trends and Response Actions

Cyber Threat Landscape 2020 Trends and Response Actions

Prior Year Review Points

Technical Safeguards

Administrative Safeguards

21

Defense in Depth is designed with the idea to

defend a system against any particular attack using

several, varying methods. It is a layering tactic, conceived by the National Security Agency (NSA)

as a comprehensive approach to information

security.

“Defense in Depth” is a military strategy that seeks to delay, rather than prevent, the advance of an

attacker by yielding space in order to buy time.

Application

Security

Due Diligence

Data Loss

Phishing Simulations

28% of the Breaches in 2019 Involved Small Business Victims

85% of MSPs Report Ransomware as the Biggest Malware Threat to SMBs in 2019

63% of SMBs Report Experiencing a Data Breach in the Previous 12 Months

70% of SMBs’ Employees Passwords Were Stolen or Lost

Current Trends in SMB Cyber Security Statistics

https://www.thesslstore.com/blog/15-small-business-cyber-security-statistics-that-you-need-to-know/

Current Trends in SMB Cyber Security Statistics

Weakness

Threats

Defense

• Credentials (52%) Represents the Most Compromised Type of Data in 2019.

• 22% of SMBs Switched to Remote Work Without a Cybersecurity Threat Prevention Plan.

• 47% of SMBs Report Keeping Data Secure as Biggest Challenge.

• Phishing Is Top Threat Action for More Than 30% of Small Organizations.

• 83% of Data Breaches Against SMBs are Financially Motivated.

• 74% of SMB Data Breaches Involve External Threat Actors.

• 43% of SMBs Lack Any Type of Cybersecurity Defense Plans.

• One in Five SMBs Don’t Use Any Endpoint Security Protections.

• 60% of SMB Choose to Keep Their Heads in the Sand About Attack & Breach Risks.

43%

The Numbers…

43% of cyber attacks target small

businesses.

60%

60% of small businesses that are victims of a cyber

attack go out of business within six

months.

424%

There was a 424%increase in new small

business cyber breaches last year

Of SMBs are have

experienced a cyber

attack, costing the business $53,987 on

average.

Of SMBs agree they

lack the in-house skills

needed to properly deal with cyber

security issues

Of SMBs are worried

that they will be the

target of a cyber attack in the next

six months.

52%

Of SMBs feel helpless

to defend themselves

from new forms of cyber attacks.

62% 80% 64%

The Numbers…

https://www.cyberianit.com/cybersecurity/

Cyber Threat Landscape in 2020

Protecting electronic devices and associated data and

information.

ReputationCustomers and

employees expect and trust you to keep their

information secure.

Business CostAttacks can be extremely costly and threaten the vitality of your business.

Vulnerability Attackers can see

small businesses as easy targets.

Small Business, Big Impact

What are you protecting?

Identify the value of

these assets.

Document the impact to

your business of loss or

damage to the assets.

Identify likelihood of

loss or harm.

Prioritize your

mitigation activities

accordingly.

Identify your

business assets.

To practice cybersecurity risk

management, you can start

with these steps:

https://www.cyberianit.com/cybersecurity/

Cyber Kill-Chain: Attack progression

The Cyber kill chain was put forth by Lockheed Martin, where the phases of

a targeted attack are described.

Just one mitigation disrupts

the chain and the

adversary.

The adversary must progress

successfully through each

stage of the chain before it

can achieve its desired

objective

What are the threats businesses face?

Phishing Attacks

Ransomware

Imposter Scams

Insider threats

Geopolitical threats

System misconfigurations

Environmental Events

Cyber Security Threats

Ransomware & Double-Extortion Ransomware

Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment.

Ransom often needs to be paid in cryptocurrency, though even if you do pay there is no guarantee you will get your data back.

Double Extortion is the threat to expose the data to the public on the internet. This is a shaming tactic.

https://www.keepnetlabs.com/top-11-ransomware-attacks-in-2020-2021/

• Firewalls, antivirus, & endpoint security solutions

• Network penetration testing

• Cyber security audits

• Computer use, device, & password policies

• Keep current with patches and security standards (TLS 1.2, Java, Flash player)

• Employee cyber security awareness training and phishing simulations

• Access management, control policies & procedures

• Email /Cloud security solutions (such as anti-phishing solutions, spam filters, email signing certificates [S/MIME certificates])

• Incident response and disaster recovery plans

• Maintain current data backups & test restores

Protecting Your Business from Cyber Security AttacksCreate multi-layered protection to include:

Remote Access – Work From Home

Other devices in a home network

Risks: Outdated WIFI Router Software

Unpatched PC’s or tablets

Weak WPA2 credentials

No PC protections like Firewalls, Antivirus and configured properly

Threat Vector:

Something you know …

Implement VPN & Multi-Factor Authentication

Something you are…

Debit Card

Something you have…

Password

Biometrics

Factors are:

Small Business

Perspective

On

Cybersecurity

Key Realities for SMB’s:

Forty-three percent of cyberattacks are aimed

at small businesses, but only 14% are prepared

to defend themselves, according to Accenture.

These incidents now cost businesses of all sizes

$200,000 on average, reveals insurance carrier

Hiscox.

More than half of all small businesses suffered a

breach within the last year.

Today it’s critical for small businesses

SMALL

BUSINESS

PERSPECTIVE

ON

Cybersecurity

▪ Key Realities for SMB’s:

▪ https://www.thesslstore.com/blog/15-small-

business-cyber-security-statistics-that-you-need-

to-know/

Small Business Perspective On Cybersecurity

Yet…

SMB’s do not have the resources of larger companies:

Usually one or two IT staff, if at all

Jacks of all trade (masters of none)

No dedicated IT Security functions

Very little budget, allocated to core business needs.

SMB’s are as responsible to the DoL and other regulatory agencies as the big boys are;

As said before by Daisa: “ERISA fiduciaries are held to a very high standard of behavior”

Then, what do we do?

Small Business

Perspective

On

Cybersecurity

Leverage Best Practice approach to Cybersecurity

NIST (National Institute of Standards & Technology) https://www.nist.gov/itl/smallbusinesscyber

SANS Institute https://www.sans.org/blog/resources-for-small-businesses/

SBA Small Business Administration https://www.sba.gov/content/introduction-cybersecurity

Banco Popular Fiduciary Services. Yes!, ask them.

Start at the beginning

Draft a set of IT Security policies. Or better yet, borrow them (NIST, SANS, etc.).

Implement and use those policies as a starting point or baseline.

Do a simple gap analysis: What do I need per the policies that is now missing?

Start putting the pieces of the puzzle together.

Small Business

Perspective

On

Cybersecurity

To get started: Get help. Contract with a reputable firm that is

focused on your size/industry

When drafting your policies, take as many applicable regulatory requirements into consideration as possible. In other words, kill as any birds with as few stones ($$) as you can.

Leverage the Cloud as much as feasible. Still, do your due diligence and read the small print.

Stick to industry standard solutions and approaches but look for value and size appropriate solutions, not just brands.

Automate as many processes as possible, so that you don’t have to dedicate staff that you don’t have to monitor events. Leverage AI and get distilled, actionable information.

Keep all your staff appraised of what you are doing and why. They can be your weakest or strongest link, it up to you. In other words, train the hell out of them!

Small Business Perceptions on Cybersecurity

Avoid pitfalls…

▪ Don’t think: “I’m too small to be a target of a cyber attack”. (refer to our first slide, the scary stuff).

▪ Don’ try to do it all at once. Start small and allow time to absorb the new tech.

▪ Don’t let your system get too old. Keep renewing it. An EOL or End-of-Life equipment is a vulnerable one.

▪ Don’t fall behind in your patching. Unpatched systems are vulnerable systems.

▪ Don’t make you backup/replication processes an afterthought of your business. Make it a central piece of it.

▪ Don’t setup your security and forget about it. Review it regularly.

▪ Avoid esoteric solutions. Stick to industry standards. This applies to IT in general and IT Sec in particular.

▪ Speaking of which, even if you don’t have many people in your IT staff, designate someone to work hand in hand with management to work on these issues. Call them your Cyber Security Team and listen to them.

▪ Even if you have what you think is a pretty decent cybersecurity strategy in place, don’t get too complacent. Test it!. Contract a penetration test at least annually and expect to have weaknesses found and vulnerabilities exposed. If everything is fine… it probably isn’t.

▪ And remember, for most companies is not a matter of if, but when they are going to be hit with an attack.

Do you have any questions?

Thank You